Don't check the certificate not before/after validity in chain_valid().v1.10.40

I think this should be checked separately, as out-of-date certificates are still useful (e.g. if they are related to KDM decryption).
author: Carl Hetherington <cth@carlh.net> 2025-11-13 11:28:02 +0100
committer: Carl Hetherington <cth@carlh.net> 2025-11-13 12:30:52 +0100
commit: 3334d3b4a648e9c600f27ec3789dbb8abb199e67 (patch)
tree: d25d59e919b261a799a315b8c78ae35d9861ecc4 /src
parent: a1d0ec67f0ab65b61140d28cfb726812c1604cdc (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/src/certificate_chain.cc b/src/certificate_chain.cc
index 0afc7e62..953ab22e 100644
--- a/src/certificate_chain.cc
+++ b/src/certificate_chain.cc
@@ -482,7 +482,16 @@ CertificateChain::chain_valid(List const & chain, string* error) const
 			throw MiscError ("could not create X509 store context");
 		}
 
-		X509_STORE_set_flags (store, 0);
+#ifdef LIBDCP_HAVE_NO_CHECK_TIME
+		X509_STORE_set_flags(store, X509_V_FLAG_NO_CHECK_TIME);
+#else
+		auto param = X509_VERIFY_PARAM_new();
+		X509_VERIFY_PARAM_set_time(param, i->not_before().as_time_t() + 60);
+		X509_STORE_set1_param(store, param);
+		X509_STORE_set_flags(store, X509_V_FLAG_USE_CHECK_TIME);
+		X509_VERIFY_PARAM_free(param);
+#endif
+
 		if (!X509_STORE_CTX_init (ctx, store, j->x509(), 0)) {
 			X509_STORE_CTX_free (ctx);
 			X509_STORE_free (store);
author	Carl Hetherington <cth@carlh.net>	2025-11-13 11:28:02 +0100
committer	Carl Hetherington <cth@carlh.net>	2025-11-13 12:30:52 +0100
commit	3334d3b4a648e9c600f27ec3789dbb8abb199e67 (patch)
tree	d25d59e919b261a799a315b8c78ae35d9861ecc4 /src
parent	a1d0ec67f0ab65b61140d28cfb726812c1604cdc (diff)